> Hold up, does this mean outlook sends your full credentials to Microsoft when you try to set up an outlook account?

Not just an “outlook account” - any account in outlook, with default settings at least.

I run a mail server, mainly for me but a couple of friends have accounts on there too, and a while ago one friend reported apparently being locked out and it turned out that it was due to them switching Outlook versions and it was connecting via a completely different address to those that my whitelists expected sometimes at times when they weren't even actively using Outlook. Not only were active connections due to their interactive activity being proxied, but the IMAP credentials were stored so the MS server could login to check things whenever it wanted (I assume the intended value-add there is being able to send new mail notifications on phones/desktops even when not actively using mail?).

> but this feels like it breaks all sorts of security/privacy expectations.

It most certainly does. The behaviour can be tamed somewhat, but (unless there have been recent changes) is fully enabled by default in newer Outlook variants.

The above-mentioned friend migrated his mail to some other service in a huf as I refused to open my whitelist to “any old host run by MS” and he didn't want to dig in to how to return behaviour back to the previous “local connections only, not sending credentials off elsewhere where they might be stored”.